PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3312 MARIADB CVE debrief

CVE-2017-3312 is a medium-severity vulnerability in the MySQL Server component, specifically the Server: Packaging subcomponent. According to the CVE description, a low-privileged attacker with logon access to the host where MySQL Server runs can compromise the service, but successful exploitation also requires human interaction by another person. NVD maps the issue to Oracle MySQL versions 5.5.53 and earlier, 5.6.34 and earlier, and 5.7.16 and earlier, and also lists related MariaDB and Debian package ranges in its CPE data. The practical risk is highest on shared servers or environments that allow untrusted local logins.

Vendor
MARIADB
Product
CVE-2017-3312
CVSS
MEDIUM 6.7
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Database administrators, Linux/server administrators, and security teams responsible for Oracle MySQL or MariaDB packages on shared or multi-user hosts, especially where local shell access is available to non-trusted users.

Technical summary

The source corpus describes a local attack path with high attack complexity, low privileges, and required user interaction (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). The affected area is the MySQL Server packaging component rather than a network-facing protocol path. NVD provides no specific CWE beyond NVD-CWE-noinfo, but it does document affected Oracle MySQL version ranges and additional package mappings for MariaDB and Debian.

Defensive priority

Patch promptly on any system still running affected versions, with highest priority on shared hosts or environments where local user logon is possible. Even though exploitation is difficult, successful compromise can result in full MySQL Server takeover.

Recommended defensive actions

  • Upgrade Oracle MySQL beyond 5.5.53, 5.6.34, and 5.7.16 as applicable to your branch.
  • Check whether your deployment uses MariaDB or Debian packages mapped by NVD for this CVE and apply the corresponding vendor updates.
  • Review host access controls so only trusted administrators can log in to systems running MySQL Server.
  • Inventory all servers and containers to confirm no affected package versions remain in production or staging.
  • Use the Oracle, Debian, Red Hat, and Gentoo advisories linked in the source corpus to confirm the correct fixed package set for your platform.

Evidence notes

The CVE description states that the vulnerability can allow a low-privileged attacker with logon access to compromise MySQL Server and that human interaction is required. NVD records CVSS v3.1 AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H and version ranges for Oracle MySQL 5.5.53/5.6.34/5.7.16 and earlier, plus additional MariaDB and Debian CPE mappings. PublishedAt is 2017-01-27T22:59:04.350Z; modifiedAt is 2026-05-13T00:24:29.033Z.

Official resources

CVE published 2017-01-27; NVD record modified 2026-05-13. Timing in this debrief follows the CVE publication date, not the later modification date.